Increasingly, firms are being victimized by electronic fund transfer (“EFT” or “wire transfer”) fraud crimes. Many of these incidents started with fraudulent emails originally directed to senior-level administrators (a practice known as phishing). These emails have familiar logos and similar (but slightly different) email addresses, sender names, and signatures which would not normally raise suspicion about their legitimacy. In some cases, phone calls are received from people masquerading as existing vendors’ personnel (a practice known as vishing).
EFTs and EFT Fraud
EFT refers to the electronic transfer of money from one financial institution to another. It includes activities such as ACH (Automated Clearing House) transactions, wire transfers, electronic checks, credit/debit card payments, payroll direct deposits, ATM activities, and the use of mobile apps such as Venmo. All are fast and generally safe ways to send and receive payments. However, they’re becoming a leading way for criminals to steal funds. The good news is that tools and methods to fight back exist.
Tips to Avoid Becoming a Victim of EFT Fraud
Preventing most EFT fraud is a matter of isolating work practices from the hazards causing these incidents (engineering controls) and changing the ways we work (administrative controls). For example, firms should consider the following:
Engineering controls
- Implement Positive Pay for all checks and Automated Clearing House (ACH) for transactions. This is an online banking fraud mitigation service that allows firms to manage ACH debits and credits posted to your business account via filters and blocks.
- Use a verified Vendor/Supplier Portal for entry and validation of critical information (name, address, bank account, tax ID number).
- Use a secured Employee Portal where employees enter initial and requested changes to critical information (address, bank account information), which needs secondary approval from another employee.
- Use multi-factor authentication with all these and other critical systems.
Administrative controls
- Ensure that employees who have control over EFT disbursement are:
- Restricted to approvals only with the co-approval of another authorized employee (i.e., a two deep approval process),
- Subject to unannounced rotation of duties,
- Precluded from having relatives that work in the firm’s bookkeeping, audit, data processing, or funds transfer requests’ departments or areas,
- Required to take a minimum number of consecutive days as part of their annual vacation, and
- Immediately re-assigned if they have given notice of resignation or have been notified of pending termination.
- Implement a call-back verification process. Receive verbal communication using trusted information on file regarding all changes on critical information via a call back.
- Be wary of sudden changes in vendor practices or information on file. Carefully review and verify that email names and extensions are accurate and legitimate, including single letter changes or changes in the extension from “.edu” or “.com” to “.org” or “.us”.
- Always perform a validation transfer (or test deposit) with a blind confirmation for all new vendors or vendors requesting a change in electronic banking information.
- Set limits on the dollar value of allowed EFTs.
- Do not use the “Reply” option to respond to emails related to payment directions. Instead, use the “Forward” option and either type in the correct email address.
- Implement regular training of your firm’s employees in fraud prevention practices.